Install and start
Install the fd0 client on each machine that should hold secrets. The hosted service at fd0.sh is the default backend; self-hosted clients use the same binary with a different [sync].server.
Install the client
$ curl -fsSL https://fd0.sh/install | sh $ fd0 version
The installer picks Linux or macOS, amd64 or arm64, verifies the release manifest with cosign when available, and writes fd0 plus fd0-agent to ~/.local/bin. Use --system to install into /usr/local/bin.
Update the client
$ fd0 update --check $ fd0 update
fd0 update updates fd0 and fd0-agent from the latest client release. It verifies the archive checksum and uses cosign when available. If the agent is running, restart it after the update with fd0 agent restart.
Create a vault
$ fd0 init $ fd0 unlock $ fd0 scope create --label work $ fd0 set API_TOKEN "secret-value" --scope work $ fd0 sync
fd0 init creates your identity and seals the vault under a passphrase. fd0 unlock starts the agent. fd0 sync publishes encrypted events to the configured primary and pulls changes from other devices.
Configure another backend
$ mkdir -p ~/.fd0 $ cat >~/.fd0/config.toml <<'EOF' [sync] server = "https://fd0.example.com" interval = "1h" on_unlock = true EOF